the summation truncation hybrid reusing discarded bits
play

The Summation-Truncation Hybrid: Reusing Discarded Bits for Free - PowerPoint PPT Presentation

Sep 08, 2022 •357 likes •931 views

The Summation-Truncation Hybrid: Reusing Discarded Bits for Free Aldo Gunsing and Bart Mennink Crypto 2020 1 / 14 PRP vs. PRF Many symmetric cryptographic schemes are based on pseudorandom permutations (PRPs) like AES 2 / 14 PRP vs. PRF

  1. The Summation-Truncation Hybrid: Reusing Discarded Bits for Free Aldo Gunsing and Bart Mennink Crypto 2020 1 / 14

  2. PRP vs. PRF ◮ Many symmetric cryptographic schemes are based on pseudorandom permutations (PRPs) like AES 2 / 14

  3. PRP vs. PRF ◮ Many symmetric cryptographic schemes are based on pseudorandom permutations (PRPs) like AES ◮ A lot of modes only use the forward direction, not making use of the invertibility 2 / 14

  4. PRP vs. PRF ◮ Many symmetric cryptographic schemes are based on pseudorandom permutations (PRPs) like AES ◮ A lot of modes only use the forward direction, not making use of the invertibility ◮ In this case using a pseudorandom function (PRF) is often more secure 2 / 14

  5. PRP vs. PRF ◮ Many symmetric cryptographic schemes are based on pseudorandom permutations (PRPs) like AES ◮ A lot of modes only use the forward direction, not making use of the invertibility ◮ In this case using a pseudorandom function (PRF) is often more secure ◮ Prominent example: CTR mode 0 1 2 0 1 2 P P P F F F x 0 x 1 x 2 x 0 x 1 x 2 y 0 y 1 y 2 y 0 y 1 y 2 n / 2-bit security n -bit-security 2 / 14

  6. PRP-to-PRF Conversion ◮ We could design a dedicated PRF ◮ However, we have little understanding in how to design one 3 / 14

  7. PRP-to-PRF Conversion ◮ We could design a dedicated PRF ◮ However, we have little understanding in how to design one ◮ Alternatively, we can design a PRP-to-PRF conversion 3 / 14

  8. PRP-to-PRF Conversion ◮ We could design a dedicated PRF ◮ However, we have little understanding in how to design one ◮ Alternatively, we can design a PRP-to-PRF conversion ◮ PRP-PRF switch: PRP behaves like a PRF up to the birthday bound 3 / 14

  9. PRP-to-PRF Conversion ◮ We could design a dedicated PRF ◮ However, we have little understanding in how to design one ◮ Alternatively, we can design a PRP-to-PRF conversion ◮ PRP-PRF switch: PRP behaves like a PRF up to the birthday bound ◮ Conversions like summation and truncation achieve beyond birthday bound security 3 / 14

  10. Summation and Truncation x � 0 x � 1 P P y 4 / 14

  11. Summation and Truncation x � 0 x � 1 P P y ◮ Sums two consecutive calls 4 / 14

  12. Summation and Truncation x � 0 x � 1 P P y ◮ Sums two consecutive calls ◮ n -bit security 4 / 14

  13. Summation and Truncation x x � 0 x � 1 n P P P a n − a y y ◮ Sums two consecutive calls ◮ n -bit security 4 / 14

  14. Summation and Truncation x x � 0 x � 1 n P P P a n − a y y ◮ Sums two consecutive calls ◮ Truncates a call to the first a bits ◮ n -bit security 4 / 14

  15. Summation and Truncation x x � 0 x � 1 n P P P a n − a y y ◮ Sums two consecutive calls ◮ Truncates a call to the first a bits ◮ Discards the other n − a bits ◮ n -bit security 4 / 14

  16. Summation and Truncation x x � 0 x � 1 n P P P a n − a y y ◮ Sums two consecutive calls ◮ Truncates a call to the first a bits ◮ Discards the other n − a bits ◮ n -bit security ◮ Used in the key derivation function of GCM-SIV 4 / 14

  17. Summation and Truncation x x � 0 x � 1 n P P P a n − a y y ◮ Sums two consecutive calls ◮ Truncates a call to the first a bits ◮ Discards the other n − a bits ◮ n -bit security ◮ Used in the key derivation function of GCM-SIV ◮ n − a / 2-bit security 4 / 14

  18. Summation-Truncation Hybrid ◮ Instead of discarding bits, we can reuse them by applying summation 5 / 14

  19. Summation-Truncation Hybrid x � 0 x � 1 ◮ Instead of discarding bits, we can reuse n n them by applying summation ◮ This leads to the Summation-Truncation P P Hybrid (STH) a n − a a n − a u v w 5 / 14

  20. Summation-Truncation Hybrid x � 0 x � 1 ◮ Instead of discarding bits, we can reuse n n them by applying summation ◮ This leads to the Summation-Truncation P P Hybrid (STH) ◮ Outputs n − a extra bits compared to a n − a a n − a truncation u v w 5 / 14

  21. Summation-Truncation Hybrid x � 0 x � 1 ◮ Instead of discarding bits, we can reuse n n them by applying summation ◮ This leads to the Summation-Truncation P P Hybrid (STH) ◮ Outputs n − a extra bits compared to a n − a a n − a truncation ◮ But we show that it has equal security! u v w 5 / 14

  22. Summation-Truncation Hybrid x � 0 x � 1 ◮ Instead of discarding bits, we can reuse n n them by applying summation ◮ This leads to the Summation-Truncation P P Hybrid (STH) ◮ Outputs n − a extra bits compared to a n − a a n − a truncation ◮ But we show that it has equal security! ◮ Identical to summation when a = 0 u v w 5 / 14

  23. Proof Sketch: Idea $ ← − Perm[ n ] P 0 1 P P u v w 6 / 14

  24. Proof Sketch: Idea $ ← − Perm[ n ] P 0 1 P P u v w ◮ Try to separate the truncation and summation parts 6 / 14

  25. Proof Sketch: Separating STH $ P ← − Perm[ n ] 0 1 0 1 P P P P u v u v w 7 / 14

  26. Proof Sketch: Separating STH $ P ← − Perm[ n ] 0 1 0 1 P P P P u v u v w ◮ Just write the two parts separately 7 / 14

  27. Proof Sketch: Separating STH $ P ← − Perm[ n ] 0 1 0 1 P P P P u v u v w ◮ Just write the two parts separately ◮ Problem: there is a shared secret P 7 / 14

  28. Proof Sketch: Permutation-Separated STH $ $ P ′ ← − P ← − Perm[ n ] 0 1 0 1 P P P ′ P ′ u v u v w 8 / 14

  29. Proof Sketch: Permutation-Separated STH $ $ P ′ ← − P ← − Perm[ n ] 0 1 0 1 P P P ′ P ′ u v u v w ◮ We re-choose the permutation, but keep the same distribution 8 / 14

  30. Proof Sketch: Permutation-Separated STH $ $ P ′ ← − Perm comp ( u , v ) P ← − Perm[ n ] 0 1 0 1 P P P ′ P ′ u v u v w ◮ We re-choose the permutation, but keep the same distribution ◮ Perm comp ( u , v ) is the set of all permutations that give ( u , v ) as truncation output 8 / 14

  31. Proof Sketch: Permutation-Separated STH $ $ P ′ ← − Perm comp ( u , v ) P ← − Perm[ n ] 0 1 0 1 P P P ′ P ′ u v u v w ◮ We re-choose the permutation, but keep the same distribution ◮ Perm comp ( u , v ) is the set of all permutations that give ( u , v ) as truncation output ◮ No shared secret, as u and v are public! 8 / 14

  32. Proof Sketch: Isolating Truncation $ $ P ′ ← − Perm comp ( u , v ) P ← − Perm[ n ] 0 1 0 1 P P P ′ P ′ u v u v w 9 / 14

  33. Proof Sketch: Isolating Truncation $ $ P ′ ← − Perm comp ( u , v ) P ← − Perm[ n ] 0 1 0 1 − { 0 , 1 } a $ ← u P P P ′ P ′ − { 0 , 1 } a $ ← v u v u v w ◮ Replace the truncation by a random function 9 / 14

  34. Proof Sketch: Isolating Truncation $ $ P ′ ← − Perm comp ( u , v ) P ← − Perm[ n ] 0 1 0 1 − { 0 , 1 } a $ ← u P P P ′ P ′ − { 0 , 1 } a $ ← v u v u v w ◮ Replace the truncation by a random function ◮ Perm comp ( u , v ) still well-defined, although u and v are generated differently 9 / 14

  35. Proof Sketch: Summation Modifications $ P ′ ← − Perm comp ( u , v ) 0 1 P ′ P ′ u v U V w = U ⊕ V 10 / 14

  36. Proof Sketch: Summation Modifications $ P ′ ← − Perm comp ( u , v ) ◮ Modified summation with 0 1 subvalues U and V P ′ P ′ u v U V w = U ⊕ V 10 / 14

  37. Proof Sketch: Summation Modifications $ P ′ ← − Perm comp ( u , v ) ◮ Modified summation with 0 1 subvalues U and V ◮ What are their distributions? P ′ P ′ u v U V w = U ⊕ V 10 / 14

  38. Proof Sketch: Summation Modifications $ P ′ ← − Perm comp ( u , v ) ◮ Modified summation with 0 1 subvalues U and V ◮ What are their distributions? P ′ P ′ ◮ U has a uniform distribution u v U V w = U ⊕ V 10 / 14

  39. Proof Sketch: Summation Modifications $ P ′ ← − Perm comp ( u , v ) ◮ Modified summation with 0 1 subvalues U and V ◮ What are their distributions? P ′ P ′ ◮ U has a uniform distribution ◮ For V it depends: u v ◮ If v � = u , V is uniform from { 0 , 1 } b U V ◮ If v = u , V is uniform from { 0 , 1 } b \ { U } w = U ⊕ V 10 / 14

  40. Proof Sketch: Alternative Description $ P k ← − Perm[ b ] 0 1 P u P v U V w = U ⊕ V 11 / 14

  41. Proof Sketch: Alternative Description $ P k ← − Perm[ b ] ◮ We modify the construction 0 1 to a family of permutations P u P v U V w = U ⊕ V 11 / 14

  42. Proof Sketch: Alternative Description $ P k ← − Perm[ b ] ◮ We modify the construction 0 1 to a family of permutations ◮ We get the same distributions of U and V P u P v U V w = U ⊕ V 11 / 14

  43. Proof Sketch: Alternative Description $ P k ← − Perm[ b ] ◮ We modify the construction 0 1 to a family of permutations ◮ We get the same distributions of U and V P u P v ◮ U has a uniform distribution U V w = U ⊕ V 11 / 14

  44. Proof Sketch: Alternative Description $ P k ← − Perm[ b ] ◮ We modify the construction 0 1 to a family of permutations ◮ We get the same distributions of U and V P u P v ◮ U has a uniform distribution ◮ For V it depends: ◮ If v � = u , V is uniform from { 0 , 1 } b U V ◮ If v = u , V is uniform from { 0 , 1 } b \ { U } w = U ⊕ V 11 / 14

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

MIPS Instruction Formats 6 bits 5 bits 5 bits 5 bits 5 bits 6 bits for instance,

MIPS Instruction Formats 6 bits 5 bits 5 bits 5 bits 5 bits 6 bits for instance,

MIPS Instruction Formats 6 bits 5 bits 5 bits 5 bits 5 bits 6 bits for instance, add r1, r2, r3 has - 000000 00010 00011 00001 00000 100000 opcode (OP) tells the machine which format 1 VAX Instruction Formats (x86

431 views • 20 slides
1 Transducers Inherently Discrete values devices that convert from one representation to

1 Transducers Inherently Discrete values devices that convert from one representation to

Interpretation of bits depends on context meaning of a group of bits depends on how they are interpreted 1 byte could be Bits, Bytes, 1 bit in use, 7 wasted bits (e.g., M/F in a database) 8 bits storing a number between 0 and 255

543 views • 3 slides
Hash Truncation Tim Polk August 1, 2005 Why Hash Truncation? Assume we have confidence in a

Hash Truncation Tim Polk August 1, 2005 Why Hash Truncation? Assume we have confidence in a

Hash Truncation Tim Polk August 1, 2005 Why Hash Truncation? Assume we have confidence in a hash algorithm H that produces a digest of length N If an application or protocol needs a message digest of length Np, and Np < N

383 views • 7 slides
Truncation Error in Image Interpolation Loc Simon SampTA 2013 - Bremen 1 Collaborator

Truncation Error in Image Interpolation Loc Simon SampTA 2013 - Bremen 1 Collaborator

Truncation Error in Image Interpolation Loc Simon SampTA 2013 - Bremen 1 Collaborator Jean-Michel Morel 2 Truncation error: What is that? X k s X t s 3 Truncation error: What is that? X X t := X k sinc( t k ) k Z 2 4

737 views • 51 slides
Bits and Bytes Topics Topics Why bits? Representing information as bits

Bits and Bytes Topics Topics Why bits? Representing information as bits

Systems I Bits and Bytes Topics Topics Why bits? Representing information as bits Binary/Hexadecimal Byte representations numbers characters and strings Instructions Bit-level manipulations Boolean algebra

614 views • 33 slides
ACCURATE FLOATING-POINT SUMMATION IN CUB URI VERNER Summer intern OUTLINE Who needs accurate

ACCURATE FLOATING-POINT SUMMATION IN CUB URI VERNER Summer intern OUTLINE Who needs accurate

ACCURATE FLOATING-POINT SUMMATION IN CUB URI VERNER Summer intern OUTLINE Who needs accurate floating-point summation? ! Round-off error: source and recovery A new method for accurate FP summation on a GPU Added as a function to the open-source

619 views • 28 slides
An adaptive plurigaussian truncation scheme for geological uncertainty quantification using EnKF.

An adaptive plurigaussian truncation scheme for geological uncertainty quantification using EnKF.

Introduction The Adaptive Plurigaussian Truncation (APT) EnKF framework Experiment Conclusions An adaptive plurigaussian truncation scheme for geological uncertainty quantification using EnKF. Bogdan Sebacher, Remus Hanea, Arnold Heemink

719 views • 35 slides
A new Balanced Truncation Model Reduction Approach for Large Scale LTI Systems with many Ports

A new Balanced Truncation Model Reduction Approach for Large Scale LTI Systems with many Ports

Introduction Basics Balanced Truncation for Many Ports Outlook and Acknowledgement A new Balanced Truncation Model Reduction Approach for Large Scale LTI Systems with many Ports Peter Benner and Andr e Schneider Chemnitz University of

623 views • 45 slides
Meet in the Middle Attack Using Output Truncation in 3 Pass HAVAL Yu Sasaki NTT

Meet in the Middle Attack Using Output Truncation in 3 Pass HAVAL Yu Sasaki NTT

Meet in the Middle Attack Using Output Truncation in 3 Pass HAVAL Yu Sasaki NTT Corporation 07/Sep/2009 ISC2009@Pisa 1/22 Yu Sasaki, MitM using output truncation of 3 Haval Summary HAVAL is a hash function that can produce

507 views • 23 slides
Bits and Bytes Aug. 29, 2002 Topics Topics n Why bits? n Representing information as bits l

Bits and Bytes Aug. 29, 2002 Topics Topics n Why bits? n Representing information as bits l

15-213 The Class That Gives CMU Its Zip! Bits and Bytes Aug. 29, 2002 Topics Topics n Why bits? n Representing information as bits l Binary/Hexadecimal l Byte representations numbers characters and strings Instructions n

690 views • 34 slides
Algorithms using real numbers (continued) Noter ch.4 Algorithms using real numbers

Algorithms using real numbers (continued) Noter ch.4 Algorithms using real numbers

Algorithms using real numbers (continued) Noter ch.4 Algorithms using real numbers Representable numbers Rounding/truncation IEEE standard and Java Summation order Newton iteration More iteration

197 views • 18 slides
C/C++ review bits & bytes Same bits, different interpretation What is the value of

C/C++ review bits & bytes Same bits, different interpretation What is the value of

CSC209 Fall 2001 C/C++ review bits & bytes Same bits, different interpretation What is the value of 11111111 ? it depends on the type (unsigned) char 1 byte = 8 bits, (unsigned) Unsigned: 255 short int 2 bytes =

255 views • 12 slides
Short Digital Signatures and ID- KEMs via Truncation Collision Resistance Tibor Jager Rafael

Short Digital Signatures and ID- KEMs via Truncation Collision Resistance Tibor Jager Rafael

Short Digital Signatures and ID- KEMs via Truncation Collision Resistance Tibor Jager Rafael Kurek Paderborn University Paderborn University 1 Contributions New security notion for standard Hash Functions Truncation-Collision

509 views • 36 slides
Hybrid Construction Hybrid Construction Hybrid Construction Hybrid Construction 1 VP

Hybrid Construction Hybrid Construction Hybrid Construction Hybrid Construction 1 VP

Hybrid Construction Hybrid Construction Hybrid Construction Hybrid Construction 1 VP University VP University WHEN DO YOU USE HYBRI D CONSTRUCTI ON? Hybrid Construction is an economical alternative to conventional steel structures

431 views • 15 slides
2 4 0 = 2 x 10 2 + 4 x 10 1 + 0 x 10 0 100 10 1 weight Representing Data with Bits 10 2 10 1

2 4 0 = 2 x 10 2 + 4 x 10 1 + 0 x 10 0 100 10 1 weight Representing Data with Bits 10 2 10 1

Wellesley CS 240 - Data as Bits 8/31/16 positional number representation 2 4 0 = 2 x 10 2 + 4 x 10 1 + 0 x 10 0 100 10 1 weight Representing Data with Bits 10 2 10 1 10 0 position 2 1 0 Base determines: bits, bytes, numbers, and

556 views • 6 slides
1 2-bits, 4-bits, 6-bits, a dollar The ripple carry adder o We have a 1-bit ALU that performs

1 2-bits, 4-bits, 6-bits, a dollar The ripple carry adder o We have a 1-bit ALU that performs

Starting out slow The CPU s workhorse o Logical operations are easiest, because they map Constructing a basic ALU directly onto the hardware. o Of course we will need to CS240 Computer Organization array this to a full 32- Department of

161 views • 4 slides
LATTICE SUSY joel.giedt, simon.catterall, raghav.govind.jha, david.schaich DESPERATELY SEEKING

LATTICE SUSY joel.giedt, simon.catterall, raghav.govind.jha, david.schaich DESPERATELY SEEKING

LATTICE SUSY joel.giedt, simon.catterall, raghav.govind.jha, david.schaich DESPERATELY SEEKING SUSY (ELISE TOO) WILSON FERMION N=4 Can impose SO(4), gauge invariance 8-dimensional parameter space to fine-tune in Notice rescaling of fields

254 views • 12 slides
Announcements Thursday Extras: CS Commons on Thursdays @ 4:00 pm Monday Extra, Oct. 8, 4:15 pm,

Announcements Thursday Extras: CS Commons on Thursdays @ 4:00 pm Monday Extra, Oct. 8, 4:15 pm,

Announcements Thursday Extras: CS Commons on Thursdays @ 4:00 pm Monday Extra, Oct. 8, 4:15 pm, Science 2022 Careers in CS and Informal Talk by Grinnell CS Alumni Thursday: CS Student Research Group External Reviewers on campus:

81 views • 5 slides
Differential Privacy (Part III) Approximate (or ( , ))-differential privacy

Differential Privacy (Part III) Approximate (or ( , ))-differential privacy

Differential Privacy (Part III) Approximate (or ( , ))-differential privacy Generalized definition of differential privacy allowing for a (supposedly small) additive factor Used in a variety of applications A query mechanism M is (

1.27k views • 43 slides
Value of Perfect Information A W U MEU with no evidence Umbrella leave sun 100 U leave

Value of Perfect Information A W U MEU with no evidence Umbrella leave sun 100 U leave

Value of Perfect Information A W U MEU with no evidence Umbrella leave sun 100 U leave rain 0 take sun 20 MEU if forecast is bad Weather take rain 70 MEU if forecast is good Forecast Forecast distribution F P(F) good 0.59

711 views • 37 slides
An R package for analyzing truncated data Alvarez 1 and Rosa M. Crujeiras 2 na- Carla Moreira 1

An R package for analyzing truncated data Alvarez 1 and Rosa M. Crujeiras 2 na- Carla Moreira 1

An R package for analyzing truncated data Alvarez 1 and Rosa M. Crujeiras 2 na- Carla Moreira 1 , Jacobo de U 1 Department of Statistics and OR, University of Vigo 2 Department of Statistics and OR, University of Santiago de Compostela

552 views • 32 slides
Low-Rank Tensor Techniques for High-Dimensional Problems Daniel Kressner CADMOS Chair for

Low-Rank Tensor Techniques for High-Dimensional Problems Daniel Kressner CADMOS Chair for

Low-Rank Tensor Techniques for High-Dimensional Problems Daniel Kressner CADMOS Chair for Numerical Algorithms and HPC MATHICSE, EPFL 1 Contents What is a tensor? Applications Matrices and low rank CP and Tucker

1.51k views • 121 slides
Truncatjon Errors Numerical Integratjon Multjple Support Excitatjon Giacomo Boffj

Truncatjon Errors Numerical Integratjon Multjple Support Excitatjon Giacomo Boffj

Truncatjon Errors Numerical Integratjon Multjple Support Excitatjon Giacomo Boffj htup://intranet.dica.polimi.it/people/boffjgiacomo Dipartjmento di Ingegneria Civile Ambientale e Territoriale Politecnico di Milano April 2, 2020

1.16k views • 97 slides
Operations that preserve integrability, and truncated Riesz spaces Marco Abbadini Dipartimento di

Operations that preserve integrability, and truncated Riesz spaces Marco Abbadini Dipartimento di

Operations that preserve integrability, and truncated Riesz spaces Marco Abbadini Dipartimento di Matematica Federigo Enriques Universit` a degli studi di Milano, Italy marco.abbadini@unimi.it Talk based on M. Abbadini, Operations that

743 views • 27 slides

More recommend